How to create reverse dynamic ssh port forwarding
I'm trying to set up an ssh tunnel layout where:
- client A (not ssh-server enabled) initiates ssh connection to server S
- socks server is opened on server S:yyyy that tunnels all data via client A
- client B connects socks server on server S, and tcp data routes via client A to the Internet
A possible solution would be to add a proxy server on Client A (binded to localhost:xxxx), and then run on client A ssh -R yyyy:localhost:xxxx Server
. That would achieve the goal. But that's not as clean as using just ssh.
Is it possible to achieve this with just the ssh client on A and ssh-server on S? it's like reverse-dynamic-port-forwarding on ssh - creating ssh -D
from A to S, and then somehow setup on this tunnel a second tunnel of ssh -D
from S to A. Somewhat confusing, and not sure if possible.
ssh ssh-tunneling port-forwarding
add a comment |
I'm trying to set up an ssh tunnel layout where:
- client A (not ssh-server enabled) initiates ssh connection to server S
- socks server is opened on server S:yyyy that tunnels all data via client A
- client B connects socks server on server S, and tcp data routes via client A to the Internet
A possible solution would be to add a proxy server on Client A (binded to localhost:xxxx), and then run on client A ssh -R yyyy:localhost:xxxx Server
. That would achieve the goal. But that's not as clean as using just ssh.
Is it possible to achieve this with just the ssh client on A and ssh-server on S? it's like reverse-dynamic-port-forwarding on ssh - creating ssh -D
from A to S, and then somehow setup on this tunnel a second tunnel of ssh -D
from S to A. Somewhat confusing, and not sure if possible.
ssh ssh-tunneling port-forwarding
Up to OpenSSH-6.7 I don't think it can be done simply, native socks proxy support works only in the direction ssh->sshd.
– mr.spuratic
Jan 15 '15 at 14:43
add a comment |
I'm trying to set up an ssh tunnel layout where:
- client A (not ssh-server enabled) initiates ssh connection to server S
- socks server is opened on server S:yyyy that tunnels all data via client A
- client B connects socks server on server S, and tcp data routes via client A to the Internet
A possible solution would be to add a proxy server on Client A (binded to localhost:xxxx), and then run on client A ssh -R yyyy:localhost:xxxx Server
. That would achieve the goal. But that's not as clean as using just ssh.
Is it possible to achieve this with just the ssh client on A and ssh-server on S? it's like reverse-dynamic-port-forwarding on ssh - creating ssh -D
from A to S, and then somehow setup on this tunnel a second tunnel of ssh -D
from S to A. Somewhat confusing, and not sure if possible.
ssh ssh-tunneling port-forwarding
I'm trying to set up an ssh tunnel layout where:
- client A (not ssh-server enabled) initiates ssh connection to server S
- socks server is opened on server S:yyyy that tunnels all data via client A
- client B connects socks server on server S, and tcp data routes via client A to the Internet
A possible solution would be to add a proxy server on Client A (binded to localhost:xxxx), and then run on client A ssh -R yyyy:localhost:xxxx Server
. That would achieve the goal. But that's not as clean as using just ssh.
Is it possible to achieve this with just the ssh client on A and ssh-server on S? it's like reverse-dynamic-port-forwarding on ssh - creating ssh -D
from A to S, and then somehow setup on this tunnel a second tunnel of ssh -D
from S to A. Somewhat confusing, and not sure if possible.
ssh ssh-tunneling port-forwarding
ssh ssh-tunneling port-forwarding
edited Jan 15 '15 at 14:54
HalosGhost
3,70592235
3,70592235
asked Jan 15 '15 at 14:29
azv
12112
12112
Up to OpenSSH-6.7 I don't think it can be done simply, native socks proxy support works only in the direction ssh->sshd.
– mr.spuratic
Jan 15 '15 at 14:43
add a comment |
Up to OpenSSH-6.7 I don't think it can be done simply, native socks proxy support works only in the direction ssh->sshd.
– mr.spuratic
Jan 15 '15 at 14:43
Up to OpenSSH-6.7 I don't think it can be done simply, native socks proxy support works only in the direction ssh->sshd.
– mr.spuratic
Jan 15 '15 at 14:43
Up to OpenSSH-6.7 I don't think it can be done simply, native socks proxy support works only in the direction ssh->sshd.
– mr.spuratic
Jan 15 '15 at 14:43
add a comment |
4 Answers
4
active
oldest
votes
I was just searching for this and came across the same (or similar) question on stack overflow.
On client A ssh -R *:24680:localhost:12345 serverS
and then (still on client A) ssh -D 12345 localhost
[1]
You need to the *
bit so it will bind to server S's public IP address and not just localhost.
Then on client B simply connect to the socks server at serverS:24680
[1] EDIT: I just realized that this won't work if client A doesn't have SSH Server because it can't ssh itself. I was thinking of a setup where client A had an SSH Server but was not accessible by Server S. But a similar setup could still work if you can install a socks server on client A and open it on port 12345.
It works, great
– diyism
Dec 16 '15 at 4:57
add a comment |
OpenSSH 7.6 introduced reverse dynamic proxy as a native option. It is implemented entirely in the client, so the server does not need to be updated.
ssh -R 1080 server
But you still need the SOCKS server, otherwise you just have a reverse tunnel...
– David Tonhofer
Dec 19 '18 at 19:54
add a comment |
This is quite straightforward.
On local side (Server S), start your openssh server server. This will start ssh server by default on port 22 - you could change this port in /etc/ssh/sshd_config file, if necessary.
service ssh start
On remote side (Client A), start a socks proxy AND set a remote port on the local side to connect to the socks proxy.
ssh -N -D 127.0.0.1:8888 -p 22 <server-s>
ssh -N -R 2222:127.0.0.1:8888 -p 22 <server-s>
On local side (Server S), use socks proxy setup on port 2222 via e.g. to connect to Google.
curl --socks5 127.0.0.1:2222 https://www.google.com
Unfortunately this solution won't work. The Google page might appear, but that's only because you'll be accessing it through Server S; not Client A. You can verify this by launchingcurl
on httpbin.org or icanhazip.com or api.ipify.org instead. Traffic will be routed through the local socks proxy, which essentially sends it to Server S again -- the initial purpose of-D
.
– AlexandreH
Oct 23 '17 at 22:28
Indeed the "ssh -D" process must not connect to the SSH server on server-s but must connect to an SSH server on Client A.
– David Tonhofer
Dec 19 '18 at 20:01
add a comment |
Don't know whether this helps anyone, here is a diagram for my setup that I managed to construct...
You will see two processes on MACHINE_B:
The SSH client connection to MACHINE_A (olive):
ssh -R 127.0.0.1:22344:127.0.0.1:4444 -i privkey.sshkey -N user_a@machine_a
The SSH client working as SOCKS server on port 4444 (dark green):
ssh -D localhost:4444 -N user_c@localhost
And one processes on MACHINE_A, the one playing server listening on port 22344 (olive).
The light green process on MACHINE_B should appear when the light green process on MACHINE_A asks for a connection...
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f179270%2fhow-to-create-reverse-dynamic-ssh-port-forwarding%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
I was just searching for this and came across the same (or similar) question on stack overflow.
On client A ssh -R *:24680:localhost:12345 serverS
and then (still on client A) ssh -D 12345 localhost
[1]
You need to the *
bit so it will bind to server S's public IP address and not just localhost.
Then on client B simply connect to the socks server at serverS:24680
[1] EDIT: I just realized that this won't work if client A doesn't have SSH Server because it can't ssh itself. I was thinking of a setup where client A had an SSH Server but was not accessible by Server S. But a similar setup could still work if you can install a socks server on client A and open it on port 12345.
It works, great
– diyism
Dec 16 '15 at 4:57
add a comment |
I was just searching for this and came across the same (or similar) question on stack overflow.
On client A ssh -R *:24680:localhost:12345 serverS
and then (still on client A) ssh -D 12345 localhost
[1]
You need to the *
bit so it will bind to server S's public IP address and not just localhost.
Then on client B simply connect to the socks server at serverS:24680
[1] EDIT: I just realized that this won't work if client A doesn't have SSH Server because it can't ssh itself. I was thinking of a setup where client A had an SSH Server but was not accessible by Server S. But a similar setup could still work if you can install a socks server on client A and open it on port 12345.
It works, great
– diyism
Dec 16 '15 at 4:57
add a comment |
I was just searching for this and came across the same (or similar) question on stack overflow.
On client A ssh -R *:24680:localhost:12345 serverS
and then (still on client A) ssh -D 12345 localhost
[1]
You need to the *
bit so it will bind to server S's public IP address and not just localhost.
Then on client B simply connect to the socks server at serverS:24680
[1] EDIT: I just realized that this won't work if client A doesn't have SSH Server because it can't ssh itself. I was thinking of a setup where client A had an SSH Server but was not accessible by Server S. But a similar setup could still work if you can install a socks server on client A and open it on port 12345.
I was just searching for this and came across the same (or similar) question on stack overflow.
On client A ssh -R *:24680:localhost:12345 serverS
and then (still on client A) ssh -D 12345 localhost
[1]
You need to the *
bit so it will bind to server S's public IP address and not just localhost.
Then on client B simply connect to the socks server at serverS:24680
[1] EDIT: I just realized that this won't work if client A doesn't have SSH Server because it can't ssh itself. I was thinking of a setup where client A had an SSH Server but was not accessible by Server S. But a similar setup could still work if you can install a socks server on client A and open it on port 12345.
edited Mar 20 '17 at 10:18
Community♦
1
1
answered Apr 29 '15 at 3:19
Hybrid
16114
16114
It works, great
– diyism
Dec 16 '15 at 4:57
add a comment |
It works, great
– diyism
Dec 16 '15 at 4:57
It works, great
– diyism
Dec 16 '15 at 4:57
It works, great
– diyism
Dec 16 '15 at 4:57
add a comment |
OpenSSH 7.6 introduced reverse dynamic proxy as a native option. It is implemented entirely in the client, so the server does not need to be updated.
ssh -R 1080 server
But you still need the SOCKS server, otherwise you just have a reverse tunnel...
– David Tonhofer
Dec 19 '18 at 19:54
add a comment |
OpenSSH 7.6 introduced reverse dynamic proxy as a native option. It is implemented entirely in the client, so the server does not need to be updated.
ssh -R 1080 server
But you still need the SOCKS server, otherwise you just have a reverse tunnel...
– David Tonhofer
Dec 19 '18 at 19:54
add a comment |
OpenSSH 7.6 introduced reverse dynamic proxy as a native option. It is implemented entirely in the client, so the server does not need to be updated.
ssh -R 1080 server
OpenSSH 7.6 introduced reverse dynamic proxy as a native option. It is implemented entirely in the client, so the server does not need to be updated.
ssh -R 1080 server
answered Dec 7 '17 at 17:39
Elad Tsur
5111
5111
But you still need the SOCKS server, otherwise you just have a reverse tunnel...
– David Tonhofer
Dec 19 '18 at 19:54
add a comment |
But you still need the SOCKS server, otherwise you just have a reverse tunnel...
– David Tonhofer
Dec 19 '18 at 19:54
But you still need the SOCKS server, otherwise you just have a reverse tunnel...
– David Tonhofer
Dec 19 '18 at 19:54
But you still need the SOCKS server, otherwise you just have a reverse tunnel...
– David Tonhofer
Dec 19 '18 at 19:54
add a comment |
This is quite straightforward.
On local side (Server S), start your openssh server server. This will start ssh server by default on port 22 - you could change this port in /etc/ssh/sshd_config file, if necessary.
service ssh start
On remote side (Client A), start a socks proxy AND set a remote port on the local side to connect to the socks proxy.
ssh -N -D 127.0.0.1:8888 -p 22 <server-s>
ssh -N -R 2222:127.0.0.1:8888 -p 22 <server-s>
On local side (Server S), use socks proxy setup on port 2222 via e.g. to connect to Google.
curl --socks5 127.0.0.1:2222 https://www.google.com
Unfortunately this solution won't work. The Google page might appear, but that's only because you'll be accessing it through Server S; not Client A. You can verify this by launchingcurl
on httpbin.org or icanhazip.com or api.ipify.org instead. Traffic will be routed through the local socks proxy, which essentially sends it to Server S again -- the initial purpose of-D
.
– AlexandreH
Oct 23 '17 at 22:28
Indeed the "ssh -D" process must not connect to the SSH server on server-s but must connect to an SSH server on Client A.
– David Tonhofer
Dec 19 '18 at 20:01
add a comment |
This is quite straightforward.
On local side (Server S), start your openssh server server. This will start ssh server by default on port 22 - you could change this port in /etc/ssh/sshd_config file, if necessary.
service ssh start
On remote side (Client A), start a socks proxy AND set a remote port on the local side to connect to the socks proxy.
ssh -N -D 127.0.0.1:8888 -p 22 <server-s>
ssh -N -R 2222:127.0.0.1:8888 -p 22 <server-s>
On local side (Server S), use socks proxy setup on port 2222 via e.g. to connect to Google.
curl --socks5 127.0.0.1:2222 https://www.google.com
Unfortunately this solution won't work. The Google page might appear, but that's only because you'll be accessing it through Server S; not Client A. You can verify this by launchingcurl
on httpbin.org or icanhazip.com or api.ipify.org instead. Traffic will be routed through the local socks proxy, which essentially sends it to Server S again -- the initial purpose of-D
.
– AlexandreH
Oct 23 '17 at 22:28
Indeed the "ssh -D" process must not connect to the SSH server on server-s but must connect to an SSH server on Client A.
– David Tonhofer
Dec 19 '18 at 20:01
add a comment |
This is quite straightforward.
On local side (Server S), start your openssh server server. This will start ssh server by default on port 22 - you could change this port in /etc/ssh/sshd_config file, if necessary.
service ssh start
On remote side (Client A), start a socks proxy AND set a remote port on the local side to connect to the socks proxy.
ssh -N -D 127.0.0.1:8888 -p 22 <server-s>
ssh -N -R 2222:127.0.0.1:8888 -p 22 <server-s>
On local side (Server S), use socks proxy setup on port 2222 via e.g. to connect to Google.
curl --socks5 127.0.0.1:2222 https://www.google.com
This is quite straightforward.
On local side (Server S), start your openssh server server. This will start ssh server by default on port 22 - you could change this port in /etc/ssh/sshd_config file, if necessary.
service ssh start
On remote side (Client A), start a socks proxy AND set a remote port on the local side to connect to the socks proxy.
ssh -N -D 127.0.0.1:8888 -p 22 <server-s>
ssh -N -R 2222:127.0.0.1:8888 -p 22 <server-s>
On local side (Server S), use socks proxy setup on port 2222 via e.g. to connect to Google.
curl --socks5 127.0.0.1:2222 https://www.google.com
answered Nov 6 '16 at 2:15
John
223210
223210
Unfortunately this solution won't work. The Google page might appear, but that's only because you'll be accessing it through Server S; not Client A. You can verify this by launchingcurl
on httpbin.org or icanhazip.com or api.ipify.org instead. Traffic will be routed through the local socks proxy, which essentially sends it to Server S again -- the initial purpose of-D
.
– AlexandreH
Oct 23 '17 at 22:28
Indeed the "ssh -D" process must not connect to the SSH server on server-s but must connect to an SSH server on Client A.
– David Tonhofer
Dec 19 '18 at 20:01
add a comment |
Unfortunately this solution won't work. The Google page might appear, but that's only because you'll be accessing it through Server S; not Client A. You can verify this by launchingcurl
on httpbin.org or icanhazip.com or api.ipify.org instead. Traffic will be routed through the local socks proxy, which essentially sends it to Server S again -- the initial purpose of-D
.
– AlexandreH
Oct 23 '17 at 22:28
Indeed the "ssh -D" process must not connect to the SSH server on server-s but must connect to an SSH server on Client A.
– David Tonhofer
Dec 19 '18 at 20:01
Unfortunately this solution won't work. The Google page might appear, but that's only because you'll be accessing it through Server S; not Client A. You can verify this by launching
curl
on httpbin.org or icanhazip.com or api.ipify.org instead. Traffic will be routed through the local socks proxy, which essentially sends it to Server S again -- the initial purpose of -D
.– AlexandreH
Oct 23 '17 at 22:28
Unfortunately this solution won't work. The Google page might appear, but that's only because you'll be accessing it through Server S; not Client A. You can verify this by launching
curl
on httpbin.org or icanhazip.com or api.ipify.org instead. Traffic will be routed through the local socks proxy, which essentially sends it to Server S again -- the initial purpose of -D
.– AlexandreH
Oct 23 '17 at 22:28
Indeed the "ssh -D" process must not connect to the SSH server on server-s but must connect to an SSH server on Client A.
– David Tonhofer
Dec 19 '18 at 20:01
Indeed the "ssh -D" process must not connect to the SSH server on server-s but must connect to an SSH server on Client A.
– David Tonhofer
Dec 19 '18 at 20:01
add a comment |
Don't know whether this helps anyone, here is a diagram for my setup that I managed to construct...
You will see two processes on MACHINE_B:
The SSH client connection to MACHINE_A (olive):
ssh -R 127.0.0.1:22344:127.0.0.1:4444 -i privkey.sshkey -N user_a@machine_a
The SSH client working as SOCKS server on port 4444 (dark green):
ssh -D localhost:4444 -N user_c@localhost
And one processes on MACHINE_A, the one playing server listening on port 22344 (olive).
The light green process on MACHINE_B should appear when the light green process on MACHINE_A asks for a connection...
add a comment |
Don't know whether this helps anyone, here is a diagram for my setup that I managed to construct...
You will see two processes on MACHINE_B:
The SSH client connection to MACHINE_A (olive):
ssh -R 127.0.0.1:22344:127.0.0.1:4444 -i privkey.sshkey -N user_a@machine_a
The SSH client working as SOCKS server on port 4444 (dark green):
ssh -D localhost:4444 -N user_c@localhost
And one processes on MACHINE_A, the one playing server listening on port 22344 (olive).
The light green process on MACHINE_B should appear when the light green process on MACHINE_A asks for a connection...
add a comment |
Don't know whether this helps anyone, here is a diagram for my setup that I managed to construct...
You will see two processes on MACHINE_B:
The SSH client connection to MACHINE_A (olive):
ssh -R 127.0.0.1:22344:127.0.0.1:4444 -i privkey.sshkey -N user_a@machine_a
The SSH client working as SOCKS server on port 4444 (dark green):
ssh -D localhost:4444 -N user_c@localhost
And one processes on MACHINE_A, the one playing server listening on port 22344 (olive).
The light green process on MACHINE_B should appear when the light green process on MACHINE_A asks for a connection...
Don't know whether this helps anyone, here is a diagram for my setup that I managed to construct...
You will see two processes on MACHINE_B:
The SSH client connection to MACHINE_A (olive):
ssh -R 127.0.0.1:22344:127.0.0.1:4444 -i privkey.sshkey -N user_a@machine_a
The SSH client working as SOCKS server on port 4444 (dark green):
ssh -D localhost:4444 -N user_c@localhost
And one processes on MACHINE_A, the one playing server listening on port 22344 (olive).
The light green process on MACHINE_B should appear when the light green process on MACHINE_A asks for a connection...
answered Dec 19 '18 at 20:32
David Tonhofer
486416
486416
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f179270%2fhow-to-create-reverse-dynamic-ssh-port-forwarding%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Up to OpenSSH-6.7 I don't think it can be done simply, native socks proxy support works only in the direction ssh->sshd.
– mr.spuratic
Jan 15 '15 at 14:43